U.S. government seeking easier hacking sparks privacy debate

A government request to change federal court rules to make it easier to hack into computers during criminal investigations places a new twist in the debate over privacy rights versus fighting crime in the digital world.

The Justice Department is arguing for warrants that provide law enforcement with more flexibility in tracking down suspects using anonymizing tools, such as Tor, The Wall Street Journal reported.

The government is arguing that the number of criminals taking advantage of anonymization technologies is increasing, so law enforcement needs help in penetrating these cloaks for criminal activity. In essence, the government wants to obtain one warrant that allows it to hack one computer and use it as a springboard for searching systems it is connected to over the Internet.

For example, Tor scrambles governments' ability to identify people on the network by passing communications through many computers run by volunteers. To locate the system used by a suspect, the governments wants one warrant that would allow it to search many computers at the same time, as well as related storage, email and social media accounts.

While the government would break into computers using the same techniques as cybercriminals, such as sending carefully crafted email to get the recipient to click on a malicious attachment, the government avoids the word hacking and prefers such euphemisms as "network investigative tools" (NITs).

Authorizing law enforcement to cast such a wide net during criminal investigations concerns privacy advocates.

"We're obviously very worried about it because the government's 'network investigative tools' are really just invasive malware that should be used only in the most extreme of circumstances," Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, told CSOonline.

Giving the government to much flexibility threatens Americans' rights under the Fourth Amendment, which limits searches only to places where evidence is likely to be found, Fakhoury said. The DoJ proposal would allow "open-ended access to a whole host of information."

In addition, allowing the government to increase its use of exploits for software would hurt Internet security overall, since the malware used by law enforcement would eventually be discovered by cybercriminals.

"The more malware and exploits that are available on the market, the more everyone is exposed, regardless of whether they are criminals or not," Fakhoury said. "I would think it would be in the tech industry's best interest to be against this, as it leaves vulnerabilities exposed to the DoJ and malicious actors alike."

Al Pascual, analyst for security, risk and fraud at Javelin Strategy & Research, believes there is a middle ground. The courts could require greater specificity on what data is collected, from whom and in support of what charge, he said.

In addition, the DoJ could be required to reveal to the court the exact method it plans to use to snatch data, along with the steps being taken to minimize the gathering of information from uninvolved third parties. The government could also be required to say when and how that data would be destroyed.

"Transparency and data minimization are critical," Pascual said.

Denying law enforcement needed tools to catch criminals in the electronic world would damage society as much as going too far in compromising privacy rights.

"To deny law enforcement the ability to effectively hack criminals in the course of an investigation, because you believe that it violates privacy, would be tantamount to saying that police officers shouldn't carry firearms because you don't believe in violence," Pascual argued.

As an example of how criminals use Tor, the government submitted documents to the courts' rule-making body, called the U.S. Judicial Conference, describing an investigation of suspected child pornographers who visited a U.S. site on the network.

"In this case, law enforcement knew the physical location of the servers used to host the hidden service," the document said. "However, without use of a NIT, investigators could not identify the administrators or users of the hidden service."

While some judges have already granted warrants for hacking systems, one judge denied a government request, because of the current rules, The Journal reported.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.